server {
    listen 80;
    listen 443 ssl;
    server_name overcomers.group;

    access_log /var/log/nginx/overcomers_access.log main    ;
    error_log  /var/log/nginx/overcomers_error.log info     ;

    ssl_prefer_server_ciphers off;
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    add_header Strict-Transport-Security max-age=15768000;

    ssl_certificate     /somepath/certificates/overcomers.group.crt ;
    ssl_certificate_key /somepath/certificates/overcomers.group.key ;

    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/www/tmp;
        allow all;
    }

    location = /.well-known/acme-challenge/ {
        return 404;
    }

    set $docdir /var/www/overcomers;

    location ~ /(data|conf|bin|inc|vendor)/ {
        deny all;
    }

    location / {
        root $docdir;
        index index.php index.html index.htm;
    }
    
    location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|xml)$ {
        root $docdir;
        access_log off;
    }
    
    location ~ /\.ht {
        deny all;
    }
    
    location ~ \.php$ {
        location ~ \..*/.*\.php$ { return 404; }
        root $docdir;
        try_files $uri =404;
        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param HTTPS $https if_not_empty;
        fastcgi_param SCRIPT_FILENAME
        $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}